Mixed Mining Arts? UFC Website Removes Malicious Crypto Code

It's the latest large site seen to be running up site visitors CPU to crank out cryptocurrency.

AccessTimeIconNov 7, 2017 at 8:00 p.m. UTC
Updated Sep 13, 2021 at 7:08 a.m. UTC

A subscription streaming site owned by mixed martial-arts powerhouse Ultimate Fighting Championship (UFC) is at the center of the latest controversy around clandestine, browser-based cryptocurrency mining.

Multiple users on social media reported yesterday that code developed by Coinhive – a monero mining script that can be embedded in a web page – was found in the code on the UFC's Fight Pass streaming site. It's unclear at this time where the code was sourced from, and a customer support staffer for UFC told a user that "we take these matters very seriously, and will review this."

“Immediately upon learning of the reported issue, Neulion, UFC’s over-the-top digital service provider, reviewed the UFC.TV/FIGHTPASS site code and did not find any reference to the mentioned Coinhive java script," A UFC spokesperson wrote in a statement to CoinDesk, subsequent to publication. "We are continuing to review the available information and feel confident that there are no coding issues across the site at this time.”

But Reddit users contend they found lines of code for Coinhive's mining script in the HTML for the page, as shown in two different screengrabs shared to Imgur.

The software was also spotted running by several users, included one who later flagged it onon Twitter. After one reddit user emailed UFC support about it, he got a response saying that they were looking into it. The attention that the situation attracted appears to have spurred UFC to action, as the script was ultimately removed, according to another post.

None of the screencaptures on the Internet Archive from yesterday show the script in the source code on UFC.com, but the captures from yesterday were made after these reports started coming out.

The move represents the latest instance in which a well-known site played unwitting host to the Coinhive script, which utilizes a user's computer capacity to mine the privacy-oriented cryptocurrency monero.

Subsequent to publication, Coinhive emailed CoinDesk to say that since none of the screenshots included the site key, it couldn't give any information on how much had been mined or if it had happened. "For what it's worth, we didn't notice any new 'top user' in our internal site wide dashboard. So the miner was either removed quickly again or didn't affect a lot of endusers," the company wrote in a statement. "Just for the record, we have a strict policy against using our service on 'hacked' sites and will terminate accounts that violate our terms of service, as soon as we're notified of them."

A streaming service run by Showtime previously found Coinhive code running on its sites, and web security firm Cloudflare has expressed its intent to crack down on sites that add mining software to sites without first notifying users.

This story has been updated with comment from Coinhive and UFC.

Correction: A previous version of this article inaccurately stated that CoinDesk has been in contact with UFC.

UFC fighter Vitor Belfort via Shutterstock.


Read more about

DISCLOSURE

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.

Trending

1
CoinDesk - Unknown
Three Arrows Paper Trail Leads to Trading Desk Obscured Via Offshore Entities

As Three Arrows Capital collapsed under market pressure, its much-lesser known trading desk, TPS Capital, remained active, sources say. But a complex ownership structure might frustrate creditors' efforts to collect.

CoinDesk - Unknown
2
CoinDesk - Unknown
June Was Bitcoin’s Worst Month Ever

Plus, European crypto regulation comes into view.

CoinDesk - Unknown
3
CoinDesk - Unknown
What Traders Are Saying About Bitcoin's Biggest Monthly Loss in 11 Years

Poor macroeconomic sentiment, fears of inflation and systemic risks from the crypto market pushed the cryptocurrency below 2017’s highs.

CoinDesk - Unknown
4
CoinDesk - Unknown
Three Arrows Capital Files for Bankruptcy in New York Tied to British Virgin Islands Proceeding

A British Virgin Islands court ordered Three Arrows' BVI branch into liquidation earlier this week.

CoinDesk - Unknown